Expert: Vendors, not coders, to blame for bugs

Computer security expert Bruce Schneier has waded into a debate over who is to blame for the security flaws that result from poorly coded software.

Last week, former White House cybersecurity advisor , launched the debate at a seminar in London. Schmidt argued that programmers should be held responsible for flaws in code they write. "In software development, we need to have personal quality assurances from developers that the code they write is secure," he said.

Related story

Schmidt's argument outraged large swathes of software developers, including tech luminaries such as Bruce Schneier, chief technology officer of Counterpane Internet Security. In his blog and in a Wired News column, Schneier took issue with Schmidt's comments, saying that the problem is with the companies selling the software, not with the developers.

Software companies are in the business of making a profit, Schneier argued. "They try to balance the costs of more secure software--extra developers, fewer features, longer time to market--against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales," he wrote.

The result, Schneier said, is "lousy software." Companies find money to "weather the occasional press storm" rather than to "design security right from the beginning."

"The end result is that insecure software is common," Schneier argued. "But because users, not software manufacturers, pay the price, nothing improves. Making software manufacturers liable fixes this externality."

Many ZDNet UK readers seem to agree with Schneier and put the blame for security problems squarely with the vendors selling the software.

The results of a ZDNet online poll, which attracted more than 1,000 respondents, showed that 53% of readers who replied felt that the blame lies with vendors. Of the rest, 40 percent said no one is to blame, and just 6 percent said software programmers were at fault.

As far as Schneier is concerned, "computer security isn't a technological problem--it's an economic problem."